I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets. Hey everybody, welcome back to Cash in the Cyber Sheets.
I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today. And today I wanted to go over something that we actually put in our newsletter, which if you're not subscribed, you can actually subscribe with our link that will be in the description.
But from our newsletter, talking about the enforcement of the DOJ, they just issued a $4.6 million fine against a contractor for not following their security requirements. It's a major issue. It actually falls under FCA, the False Claims Act, and in another area that we're going to talk about, still with the FCA, a $90 million settlement with Humana and what that means.
So we're going to dive into exactly what happened in those cases and what that could mean for your business if you're not following your security requirements and you don't have your policies and procedures in place. It can cost you a serious amount of money. Before we continue, if you like our episodes, if you like what we have to say, go ahead and click that like, click that subscribe, and show us some love in the comments and let us know things that you would like us to talk about and also different things that have been working for you in your compliance stack.
Okay, so let's talk about the Department of Defense. Now, Department of Defense, Department of Justice, actually DOJ in this case, they hire a lot of contractors to do a lot of the work. That's no big secret.
The government's one of the biggest employers, the biggest employer in the U.S. So with all these contractors, there's all types of requirements. There's a lot of security requirements. Now, traditionally, and for many, many years, contractors have self-certified typically.
Going through, what that means is going through a questionnaire saying, yes, we do these things. Here's our security practices. Here's how we secure our systems.
Here's how we do our backups, yada, yada, yada. All of those security questionnaires that you would do, like with insurance or any of your vendors, you do those with the government, and it's typically been a self-certification. Now, fast forward to a few years ago, and the government started looking into a lot of this, and surprise, surprise, a lot of contractors were self-certifying, saying they're doing all these things, but they actually weren't.
And when looking at it, there was a big divide. I believe, I should have this number written down so I can actually reference it, but I believe it was actually about 70% of companies that self-certified weren't doing the things they said they were supposed to do. So that's where the CMMC came in, to create an actual certification process to work with the government.
That's not what this episode's about. What we're going to talk about is the ones that were certifying, saying we're doing it, but they actually weren't. So here they are collecting all this government money, and they actually weren't fully compliant.
They weren't fully following their contract. Well, under the False Claims Act, which has become a much bigger deal, and you're going to see why, under the False Claims Act, the government can actually come back and say, you collected money from the government, you collected money from us, but you weren't doing the things you said you were doing, we're going to take that money back. They can actually even go up to three times the amount that they paid.
So let's say your contract was for a million dollars, they could technically come at you for three million dollars under the False Claims Act. In this case, it was actually 4.6 million dollars that they levied in penalties, fines, everything against this contractor. That's pretty major.
Here's where it gets really scary, however. Under the False Claims Act, it doesn't have to be the government to bring up these cases. They don't have to be the ones to create the suit.
You can actually do it as a whistleblower, or as the False Claims Act calls it, a realtor. So if I worked at the company, if I'm involved in some way, I can sue that company on behalf of the government under the False Claims Act, and if that suit wins, as the whistleblower, as that realtor, I can get anywhere between 15 and 30 percent of that payout coming to me. In the case of this DOJ payout, the 4.6 million, it was roughly $850,000 going to the whistleblower that brought this up.
And who can whistleblowers be? Well, that could be anybody that you work with or have any involvement with. So it could be a consumer, it could be a client, it could be potentially a disgruntled employee. Maybe you didn't give that raise or that parking spot, and now they're really going to stick it to the company, bring this up, and they're getting a massive payout.
Here's the other thing with it. The attorneys that help support this, not only can they get a portion of that payout, but they can also get potential legal fees. So on top of that payout, they're getting paid for all their time as well.
It is a major incentive for whistleblowers, for attorneys, for other people outside of your company to identify where you're not following the rules and to bring it up. They're going to make a tremendous amount of money under the False Claims Act. Now here's another one that is a massive, massive payout under False Claims Act.
Humana actually completed a $90 million settlement, $90 million over their practices that a whistleblower brought up. Now in that case, that whistleblower got 29% of that payout. They got $26.1 million for bringing this up and bringing this suit.
Now their attorneys got $10 million of that. Still though, a $16 million payout simply for bringing up the case that the employer was not doing what they were supposed to do is a pretty big payout. And if you have, again, any disgruntled employees, even super happy employees, a $16 million payout is maybe hard to pass up.
Now in the Humana case, what's wild is that they're still going back and forth on it, but the attorneys are looking to make an additional $32 million based on all of their fees. So I believe that's a total of $42 million on top of the $16 million that was paid to the whistleblower. That is tremendous incentive for people to find where your company is not following your policies, your procedures, or your security requirements.
It's a major incentive for the government to come in and audit and check. And that's where the FCA has actually become pretty well weaponized. In just 2024, over $2.4 billion were collected under the FCA.
Those are major, major numbers. The government is looking for ways to collect money. They are looking for ways to recoup different losses and employees, anybody, have a huge incentive to jump on the bandwagon and help them do it.
Now, who does the FCA apply to? The False Claims Act applies to anybody that is collecting money from the government. So if you're a healthcare practice and you're doing any Medicare or Medicaid payments, collections, you fall under False Claims Act. If you're a contractor with a government contract, you fall under False Claims Act.
Any money paid by the government puts you under that umbrella of the False Claims Act. And that's really scary because typically a lot of security regulations, a lot of information security requirements really all fall under, they don't have a private right of action, meaning that somebody can't sue you, somebody can't create some sort of an issue or a complaint if you're not following, say, HIPAA. HIPAA doesn't have a private right of action.
If you don't follow HIPAA, I as a patient can't sue you. However, I could create a False Claims Act claim and sue you on behalf of the federal government, and now it's not just an issue of you let my information out. I was only out a few hundred dollars.
It could potentially be you've collected $10 million over the past few years. Now you could potentially be on the hook for $30 million, and I'm going to collect anywhere between 15 and 30% of that. I'm very happy we did business together.
This was the best practice I ever went to. That is what is so scary about the FCA and how not having the policies, your procedures, and your information security program properly tightened can really cost you and your company a massive amount of money. If you'd like to know more about the FCA, if you would like to take a look at your company and see where your potential risk may be, what type of exposure you have, and how you can help protect yourself, please reach out to us.
We'd be more than happy to talk to you and help make sure that your company's properly secured and properly protected. Thank you very much for listening, and until next time. Thanks for joining us today.
Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential.
So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
